Creates a new field by evaluating the provided expression. The eval string must always start with an assignment (f=expr). The result is stored in a field with that name. In an expression, it's possible to supply names of fields, strings and numbers. The operators available are ==, !=, as well as +, -, *, and / and parenthesized expressions.

eval() accepts multiple expressions to be evaluated, separated by a comma, in the form of field_name = expression.

The following are all valid examples:

logscale
eval(a = 3)
logscale
eval(a = b, x = y + z)

In the context of an eval() expression — unlike filters — identifiers always denote field values. For example:

logscale Syntax
eval( is_warning= (loglevel==WARN) )

is most likely wrong; you want to write:

logscale Syntax
(loglevel=="WARN")

The order of evaluation of arguments is left to right.

The expression:

logscale Syntax
eval(f=expr)

only results in an assignment to f when expr yields a result — which is not the case when a field in the expression does not exist, or it's not a number.

This means that fields are not created if the source event is missing a value.

If f already existed as a field on the event and expr did not yield any result, then f is unchanged.

eval() Examples

Get response size in KB

logscale
eval(responsesize = responsesize / 1024)

Add fields together

logscale
eval(c = a + b)

Match a field to the timespan. Count should be per minute (not 5 minutes as the bucket span is)

logscale
timechart(method, span=5min)
| eval(_count=_count/5)